[TAG] (forw) Re: (forw) Re: lpr works for user not root in Basiclinux 2.1
Sindi Keesan
keesan at grex.cyberspace.org
Sun Jan 28 07:44:27 MSK 2007
>
>>>> Do you monitor the logs? Do you run chkrootkit regularly? Do you
>>>> monitor portscans?
I downloaded (about 40K) chkrootkit.tar.gz, unpackaged and typed make
sense and it produced chkrootkit and some other files.
./chkrootkit wanted netstat. It was a 7 min download in a package and I
extracted it with tar -zxvf tcpicp1.tgz bin/netstat and put into /bin.
chkrootkit then told me I had six infected files:
basename dirname echo env ifconfig and traceroute.
These are all part of busybox 1.1.0 compiled statically against uClibc.
Are they really infected (with what?) or is uClibc confusing chkrootkit?
They are not in the typical locations but are on the path.
telnetd and su in busybox are not infected.
Checking 'date' ... bash
/bin/csh
INFECTED
(I have a /bin/bash but no csh. Command not found.)
How do I interpret the above?
Some things it could not find, some it said were not infected, such as
cron. I don't have a cron. Same for ldsopreload and sshd and write.
Checking 'lkm'...You have 13 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed.
no rootkits or worms found..
More information about the TAG
mailing list